Tutorial: Resolving Cloudflare SSL "Invalid SSL certificate" Error

Community wiki Sysadmins
1

Problem Description

When using Cloudflare SSL for your website, you may encounter a situation where:

  • Accessing example.com works fine
  • Accessing www.example.com results in an “Invalid SSL certificate” error

Cause Analysis

This issue is typically caused by incorrect configuration of Cloudflare SSL rules.

Solution

To resolve this issue, follow these steps to change your SSL/TLS encryption mode:

  1. Log in to your Cloudflare account
  2. Select the domain you’re working with
  3. Go to the SSL/TLS section
  4. Find the “SSL/TLS encryption mode” settings
  5. Change the Custom SSL/TLS setting to Full

This setting enables end-to-end encryption and should be used when your origin server supports SSL certification but does not use a valid, publicly trusted certificate.

Explanation

The “Full” SSL mode in Cloudflare creates an encrypted connection between your visitors and Cloudflare, and another encrypted connection between Cloudflare and your origin server. This setup allows Cloudflare to establish a secure connection with your server even if it’s using a self-signed or expired certificate.

By switching to this mode, you ensure that both example.com and www.example.com are properly covered by the SSL certificate, resolving the “Invalid SSL certificate” error for the www subdomain.

Additional Important Step: Domain Redirection

After modifying the SSL settings, it’s crucial to set up proper domain redirection. You have two options:

  1. Redirect www to root domain: Set up a 301 redirect from www.example.com to example.com OR
  2. Redirect root to www: Set up a 301 redirect from example.com to www.example.com

This step ensures consistency in your website’s URL structure and improves SEO by preventing duplicate content issues.

To set up the redirect in Cloudflare:

  1. Go to the “Rules” section in your Cloudflare dashboard
  2. Click on “Create Page Rule”
  3. Enter the URL pattern you want to redirect (e.g., http://www.example.com/* or http://example.com/*)
  4. Choose “Forwarding URL” as the setting
  5. Select “301 - Permanent Redirect” as the status code
  6. Enter the destination URL (e.g., https://example.com/$1 or https://www.example.com/$1)
  7. Save and deploy the rule

Remember to test your website after making these changes to ensure everything is working as expected, including both the SSL connection and the domain redirection.

1 Like